OSV ID
MAL-2026-10583
Ecosystem
npm
Summary
chalkdev is a near-empty package (index.js exports {}, 11-byte README) whose sole runtime behavior is a postinstall hook that runs .init.js on npm install . .init.js enumerates installer-side secret environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, GOOGLE_APPLICATION_CREDENTIALS), reads credential files from the user's home directory ( ~/.npmrc , ~/.env , ~/.env.local , ~/.env.production , ~/config.json , ~/credentials.json ), and scans ~/.config for filenames containing token , cred , or secret . It also collects host identifiers via os.hostname() and os.platform() . The harvested data is POSTed as JSON to a hardcoded https://webhook.cool/at/tender-deer-80/... endpoint. The package name typosquats the popular chalk library.
Source: amazon-inspector (31c82b41c09114082b8c0ac8ba6f7bf5ffad8b7da40478ce409443ef00171619)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.